Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp936299imw; Fri, 15 Jul 2022 16:13:50 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uS3ofXRYx9y3bav0at2eXfq8LN0JmIqB1ogm5R3KxTwIc2p50Z3J2k4grLAM+FShJJvGEK X-Received: by 2002:a17:90b:504:b0:1e6:a0a4:c823 with SMTP id r4-20020a17090b050400b001e6a0a4c823mr24849878pjz.190.1657926829893; Fri, 15 Jul 2022 16:13:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657926829; cv=none; d=google.com; s=arc-20160816; b=R1zk52D2UmVijsT3K1opwA6Qz8z4RJkpwZOC0uJUG8UdloMAijslqI/Y/zOhT1fkMo Xh2w8gkP0Rd3RLwNzvU1luOYWCkLKoFhjWdGPNvzMfxTn5pzm2+PfR+poZHH1AILuOiO M0yKIlpasmUJLFCHmuDNYrgMhx++0ZX2SWWRjtwEQ8dcQUS1vCUAb6Uyl/f8LPZKFGSR dAF9HPfe68SwGqwOwo9GDuljclShHhb6G404OoIYw2kFE31zaYU7YnysnP1E4m/AOR29 /prAPMjYTD9ANM0nS5MhobHNou9BIYK0N8zcmlBmY0OG469biT9M/UrQNqZv9ibQYUHX B4hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=8LRdXnGBkh1a1Ag07+rxl01ofzEnK6fRJxzyJOKUGrY=; b=Y5YAXH+YNx+PpuEFoiaGMCjHXETclV/kply4wBfhyCDSYbHyOMxLIarKZ5WWcHGDgd rf/9SjG1WKwtHAvunYJCYMtFy1IzFv60dE0Llp6932p/41koi+WFlEVl6BSSG6ClOU+z fcMcZFLCIq9HDz5aVyqUbWtz8ckhbd2FtgTN8dVgAH0KC9aV4EMsuo0lcV2J7/idEc6T 05OYNMU06w3Elc3BPunpiI9lxqmF6IQswZrjM4yuFOl/PMiG+GpfW9G8h8I/qyhDMjkX m4sSKpo8ZSvj4vLhykFrUO/sFpAA+R31bU/k9FZeyVO7WyICO4q7ainZbk+Y6CIOFISR PXYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XS3Z2gA2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 135-20020a62158d000000b005252fcca2f9si6260212pfv.204.2022.07.15.16.13.34; Fri, 15 Jul 2022 16:13:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=XS3Z2gA2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231576AbiGOWvk (ORCPT + 99 others); Fri, 15 Jul 2022 18:51:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231374AbiGOWv1 (ORCPT ); Fri, 15 Jul 2022 18:51:27 -0400 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DDCE45987; Fri, 15 Jul 2022 15:51:26 -0700 (PDT) Received: by mail-pj1-x1035.google.com with SMTP id o31-20020a17090a0a2200b001ef7bd037bbso7491630pjo.0; Fri, 15 Jul 2022 15:51:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=8LRdXnGBkh1a1Ag07+rxl01ofzEnK6fRJxzyJOKUGrY=; b=XS3Z2gA2bLok1BviOoFR20EFum6E32EdzNTg8lz3RcXaR9CKnwHU5jEl8cCwB/5zxP lWg74saq9rF69oeq6z190xvyuNiPvPxRfpQEkXDzQ56K5avOqUVA28tuZqmNaZ2e1ztU OWxA4QhCJsNHPeYVGlloz1wRXWRTKPXfMMxKfEESYiOYaT1UQdZUVfZ2u8O4xIHwPDi6 f5WPXsjMK9jP9kPsfRnQeUFJV+O2gkA90F8ryajynYiPLzf8s9OE9JwkKF/CLi7Q4R0s gnG6c2BN6FVuztpQi6ONCQmT/kSqm7nJXdIVZOrGHuckAB2Un0b94zHGgxH0TE225coI bt9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=8LRdXnGBkh1a1Ag07+rxl01ofzEnK6fRJxzyJOKUGrY=; b=VHDQ+X7WuMB21rVVjSjlGghjLrMvi3nYPKoKjt17nS2psZwYmhomesqucP0MJLQ3Ir garhfBINNU5rRztiouHOM1Vvs4R9cyoXFXfv+gk+wCOsSOescKXBn9qm7zztkhTAE9zS lAdm5u1ZLQ4lWqPhOYVB2GDK6G8zLyrov6XQq6KTTTSGtZL270fCLdMfWpJnbd2bLMvl geFW00VMxDZJyhvPk5JykAcA8AJS+Gnwl8FMGmSpMIBjEkk0Zeg7hj+2C80gr3c0/DOf NWDI/jMlEdn704+AwAFovhAazHRQAGZ+1PRm5y9c9VMhJCuJfA6hHDbgNtslH4adYReT Tk8w== X-Gm-Message-State: AJIora9upYrC7UdXgu9Fylxc67C4oYCd7TqixzYxjnwC9Z9vaKG2ISdN R8lTtztnQ/s1T3kICr+oU+wex8TL1Vpw7w== X-Received: by 2002:a17:902:f152:b0:16b:e29c:fbd5 with SMTP id d18-20020a170902f15200b0016be29cfbd5mr15776217plb.67.1657925485953; Fri, 15 Jul 2022 15:51:25 -0700 (PDT) Received: from server.roeck-us.net ([2600:1700:e321:62f0:329c:23ff:fee3:9d7c]) by smtp.gmail.com with ESMTPSA id m5-20020a170902db0500b001677d4a9654sm4111063plx.265.2022.07.15.15.51.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Jul 2022 15:51:24 -0700 (PDT) Sender: Guenter Roeck Date: Fri, 15 Jul 2022 15:51:23 -0700 From: Guenter Roeck To: Thadeu Lima de Souza Cascardo Cc: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, x86@kernel.org, ardb@kernel.org, tglx@linutronix.de, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, Peter Zijlstra , Borislav Petkov , Josh Poimboeuf , stable@vger.kernel.org Subject: Re: [PATCH] efi/x86: use naked RET on mixed mode call wrapper Message-ID: <20220715225123.GA2177570@roeck-us.net> References: <20220715194550.793957-1-cascardo@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220715194550.793957-1-cascardo@canonical.com> X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 15, 2022 at 04:45:50PM -0300, Thadeu Lima de Souza Cascardo wrote: > When running with return thunks enabled under 32-bit EFI, the system > crashes with: > > [ 0.137688] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) > [ 0.138136] BUG: unable to handle page fault for address: 000000005bc02900 > [ 0.138136] #PF: supervisor instruction fetch in kernel mode > [ 0.138136] #PF: error_code(0x0011) - permissions violation > [ 0.138136] PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063 > [ 0.138136] Oops: 0011 [#1] PREEMPT SMP PTI > [ 0.138136] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166 > [ 0.138136] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > [ 0.138136] RIP: 0010:0x5bc02900 > [ 0.138136] Code: Unable to access opcode bytes at RIP 0x5bc028d6. > [ 0.138136] RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046 > [ 0.138136] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048 > [ 0.138136] RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b > [ 0.138136] RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28 > [ 0.138136] R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710 > [ 0.138136] R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001 > [ 0.138136] FS: 0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000 > [ 0.138136] CS: 0010 DS: 0018 ES: 0018 CR0: 0000000080050033 > [ 0.138136] CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0 > [ 0.138136] Call Trace: > [ 0.138136] > [ 0.138136] ? efi_set_virtual_address_map+0x9c/0x175 > [ 0.138136] efi_enter_virtual_mode+0x4a6/0x53e > [ 0.138136] start_kernel+0x67c/0x71e > [ 0.138136] x86_64_start_reservations+0x24/0x2a > [ 0.138136] x86_64_start_kernel+0xe9/0xf4 > [ 0.138136] secondary_startup_64_no_verify+0xe5/0xeb > [ 0.138136] > > That's because it cannot jump to the return thunk from the 32-bit code. > Using a naked RET and marking it as safe allows the system to proceed > booting. > > Fixes: aa3d480315ba ("x86: Use return-thunk in asm code") > Reported-by: Guenter Roeck > Signed-off-by: Thadeu Lima de Souza Cascardo > Cc: Peter Zijlstra (Intel) > Cc: Borislav Petkov > Cc: Josh Poimboeuf > Cc: No more crashes with this patch applies on top of the mainline kernel (sha e5d523f1ae8f). Tested-by: Guenter Roeck Guenter